cephadm: apply more restrictive permissions on TLS files

Changes permissions from 640 to 600 on the crt/key and
token files

Signed-off-by: Paul Cuzner <pcuzner@redhat.com>

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 46a62d5b9d961cd6116544a3534db8153a1541b8..e46286d9901f45956779947667a5253249048cd3 100755 (executable)
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -6131,7 +6131,7 @@ WantedBy=ceph-{fsid}.target
 
         # Create the required config files in the daemons dir, with restricted permissions
         for filename in config:
-            with open(os.open(os.path.join(self.daemon_path, filename), os.O_CREAT | os.O_WRONLY, mode=0o640), "w") as f:
+            with open(os.open(os.path.join(self.daemon_path, filename), os.O_CREAT | os.O_WRONLY, mode=0o600), "w") as f:
                 f.write(config[filename])
 
         # When __file__ is <stdin> we're being invoked over remoto via the orchestrator, so